# HG changeset patch
# User Mads Kiilerich <mads@kiilerich.com>
# Date 1605110620 -3600
# Node ID 48b9fdef5e7f1c89f0c1301faec21b531e1abbda
# Parent  df930758dcf7da1303aa4ca3bccbaecf762c81b9
repo_groups: extra escape of names when used in select drop-downs

The lack of escaping could be a problem *if* it was possible to create repo
groups with dangerous names.

This was seen for example when specifying parent group of repos and repo
groups.

We want to keep groups_choices as HTML literals so paths can use &raquo; as
separator.

diff -r df930758dcf7 -r 48b9fdef5e7f kallithea/model/db.py
--- a/kallithea/model/db.py	Wed Nov 11 16:45:42 2020 +0100
+++ b/kallithea/model/db.py	Wed Nov 11 17:03:40 2020 +0100
@@ -1407,9 +1407,10 @@
     def _generate_choice(cls, repo_group):
         """Return tuple with group_id and name as html literal"""
         from webhelpers2.html import literal
+        import kallithea.lib.helpers as h
         if repo_group is None:
             return (-1, '-- %s --' % _('top level'))
-        return repo_group.group_id, literal(cls.SEP.join(repo_group.full_path_splitted))
+        return repo_group.group_id, literal(cls.SEP.join(h.html_escape(x) for x in repo_group.full_path_splitted))
 
     @classmethod
     def groups_choices(cls, groups):